|
7 | 7 | - [ ] Use HTTPS everywhere. |
8 | 8 | - [ ] Store password hashes using `Bcrypt` with a random `salt`. |
9 | 9 | - [ ] Destroy the session identifier after `logout`. |
10 | | -- [ ] Destory all active sessions on reset password (or offer to). |
| 10 | +- [ ] Destroy all active sessions on reset password (or offer to). |
11 | 11 | - [ ] Must have the `state` parameter in OAuth2 |
12 | 12 | - [ ] No open redirects after successful login or in any other intermediate redirects. |
13 | 13 | - [ ] While Signup/Login input, sanitize input for javascript://, data://, CRLF characters. |
|
30 | 30 | - [ ] JWT are awesome, use them if required for your single page app/APIs. |
31 | 31 |
|
32 | 32 |
|
33 | | -##### ANDRIOD / IOS APP |
| 33 | +##### ANDROID / IOS APP |
34 | 34 | - [ ] `salt` from payment gateways should not be hardcoded. |
35 | 35 | - [ ] `secret` / `auth token` from 3rd party SDK's should not be hardcoded. |
36 | 36 | - [ ] API calls intended to be done `server to server` should not be done from the App. |
|
46 | 46 | - [ ] `Add` [X-XSS-Protection](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-XSS-Protection) header to mitigate XSS attacks. |
47 | 47 | - [ ] Update DNS records to add [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) record to mitigate spam and phishing attacks. |
48 | 48 | - [ ] Add [subresource integrity checks](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading your JavaScript libraries from a third party CDN. |
49 | | -- [ ] Use random CSRF tokens and expose buisness logic APIs as HTTP POST requests. Do not expose CSRF tokens over HTTP for example in a inital request upgrade phase. |
| 49 | +- [ ] Use random CSRF tokens and expose business logic APIs as HTTP POST requests. Do not expose CSRF tokens over HTTP for example in an initial request upgrade phase. |
50 | 50 | - [ ] Do not use critical data or tokens in GET request parameters. Exposure of server logs or a machine/stack processing them would expose user data in turn. |
51 | 51 |
|
52 | 52 | ##### SANITIZATION OF INPUT |
53 | 53 | - [ ] `Sanitize` all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) |
54 | 54 | - [ ] `Sanitize` all user inputs or any input parameters exposed to user to prevent [SQL Injection](https://en.wikipedia.org/wiki/SQL_injection) |
55 | | -- [ ] Sanitize user input if using it directly for functionalites like CSV import. |
| 55 | +- [ ] Sanitize user input if using it directly for functionalities like CSV import. |
56 | 56 | - [ ] `Sanitize` user input for special cases like robots.txt as profile names in case you are using a url pattern like coolcorp.io/username. |
57 | | -- [ ] Do not hand code or build JSON by string concatentation ever, no matter how small the object is. Use your langauge defined libraries or framework. |
| 57 | +- [ ] Do not hand code or build JSON by string concatenation ever, no matter how small the object is. Use your langauge defined libraries or framework. |
58 | 58 | - [ ] Sanitize inputs that take some sort of URLs to prevent [SSRF](https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#heading=h.t4tsk5ixehdd). |
59 | 59 | - [ ] Sanitize Outputs before displaying to users. |
60 | 60 |
|
|
0 commit comments